1. Field of the Invention
The present invention is related to an information processing system containing an information processing apparatus at transmission side, an information processing apparatus at reception side, and a protocol pass-preventing device such as to a firewall which are connected between the transmission-side information processing apparatus and the reception-side information processing apparatus, and also is related to an information processing method executed in this information processing system.
2. Description of the Conventional Art
Normally, no communication can be carried out by using impermissible protocols between information processing apparatus which are isolated from each other by firewalls. Conventionally, there are two methods as methods capable of establishing communications by using impermissible protocols. In a first method, setting of a firewall is changed and thus, an impermissible protocol can pass through information processing apparatus. In other words, this first method corresponds to such a method for setting such that this impermissible protocol is defined as a permissible protocol. The second method corresponds to a method for utilizing IPSec and L2F (Layer2 Forwarding), which are used in VPN (Virtual Private Network). This second method corresponds to such a method for executing encapsulation by using the protocol corresponding to either the second layer (data link layer) or the third layer (network layer) in the OSI (Open Systems Interconnection) 7-layers model.
FIG. 3 is a block diagram for schematically showing a conventional information processing system to which the above-described second method is applied.
In FIG. 3, reference numeral 11 shows a transmission-sided information processing apparatus, reference number 12 represents a transmission-sided VPN apparatus, reference numeral 13 indicates a transmission-sided firewall, and reference numeral 14 represents a reception-sided firewall which is connected via the Internet to the transmission-sided firewall 13. Also, reference numeral 15 indicates a reception-sided VPN apparatus, and reference numeral 16 denotes a reception-sided information processing apparatus.
With reference to the conventional information processing system with employment of such an arrangement, operations thereof will now be explained by using FIG. 4. That is, FIG. 4 is a flow chart for describing process operations of the conventional information processing system shown in FIG. 3.
First, the transmission-sided information processing apparatus 11 produces data to be transmitted (step S21). After the data has been produced, this data is transmitted from the transmission-sided information processing apparatus 11 to the reception-sided information processing apparatus 16 (step S22) When the data passes through the transmission-sided VPN apparatus 12, this transmission-sided VPN apparatus 12 applies the protocol header of either the second layer (data link layer) or the third layer (network layer) of the OSI 7-layer model to the original data produced by the transmission-sided information processing apparatus 11. In the other words, the transmission-sided VPN apparatus 12 performs the encapsulation (step S23). The data to which this protocol header has been applied passes through the transmission-sided firewall 13 (step S24). Also, the data to which this protocol header has been applied passes through the reception-sided firewall 14 (step S25). When the above-described data passes through the reception-sided VPN apparatus 15, this reception-sided VPN apparatus 15 deletes the protocol header from this data, which has been applied by the transmission-sided VPN apparatus 12 at the above-described step S23 (step S26) Then, the reception-sided VPN apparatus 15 transmits such data from which the protocol header has been deleted to the reception-sided information processing apparatus 16 (step S27). In other words, the reception-sided VPN apparatus 15 sends the original data which has been formed by the transmission-sided information processing apparatus 11 to the reception-sided information processing apparatus 16. The reception-sided information processing apparatus 16 receives this transmitted data so as to analyze this transmitted data (step S28).
Even in the case that such a method is used, in order that these encapsulated data may pass through the transmission-sided firewall 13 and the reception-sided firewall 14 in the above-described steps S24 and S25, setting of these firewalls must be previously changed with respect to the transmission-sided firewall 13 and the reception-sided firewall 14. A difference of this method from the first method is to have such a setup that the protocol header is applied to the transmitted data in the step S23, and this protocol header can be deleted therefrom in the step S26. As a consequence, such a feature can be established in which any persons who do not know this setup cannot make up any communication, and thus, this featured setup can compensate for a lack of security which is caused by the above-described change in setting of the firewalls. In other words, this conventional method implies that a reliable relationship can be established among respective networks where information processing apparatus are present.
However, in such a case that while an impermissible protocol is used, a communication is made between information processing apparatus which are isolated from each other by firewalls, if setting of the firewalls is merely changed, then the following problems may occur. That is, security is deteriorated, and also such a cumbersome operation is necessarily required that setting of the firewalls is changed every time the communication is carried out. Also, in the case of the VPN network, there is another problem that a reliable relationship must be previously established between two networks which are isolated from each other by employing firewalls, and such a communication issued from a network where such a reliable relationship could not be established is also interrupted.
In this conventional information processing system and also the conventional information processing method, even in such a case that the information processing apparatus are isolated from each other by the protocol pass-preventing device such as the firewall, there is a request that the communication can be made by employing the impermissible protocol while setting of the protocol pass-preventing device is not changed, but also, a specific reliable relationship is not established between the information processing apparatus which are isolated by the protocol pass-preventing device.